(Invoking related search terms...)
#!/usr/bin/env php <?php eval(file_get_contents('php://stdin'));
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded (Invoking related search terms
A typical PHPUnit installation (version 4.x to 9.x) contains the following relevant subdirectories:
myapp/ composer.json src/ (your application code) tests/ (your test cases) vendor/ (dependencies – note it’s at project root) public/ (web root) index.php phpunit.xml Util/PHP/eval-stdin
Update your deployment pipelines to ensure development dependencies are excluded.
PHPUnit Remote Code Execution (CVE-2017-9841) ... PHPUnit is a programmer-oriented testing framework for PHP. Util/PHP/eval-stdin. This design was intended to facilitate test isolation
The file eval-stdin.php belongs to older versions of PHPUnit, a popular testing framework for PHP. The core utility of this file was to receive PHP code via standard input ( php://stdin ) and execute it using PHP’s internal eval() function. This design was intended to facilitate test isolation and CLI execution.
Let’s break down what this means and why it matters for web application security.